Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-54314

Summary
Assigner-Patchstack
Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3
Published At-13 Dec, 2024 | 14:25
Updated At-28 Apr, 2026 | 16:10
Rejected At-
Credits

WordPress Primary Addon for Elementor plugin <= 1.6.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicheaddons Primary Addon for Elementor primary-addon-for-elementor allows Stored XSS.This issue affects Primary Addon for Elementor: from n/a through <= 1.6.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Patchstack
Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3
Published At:13 Dec, 2024 | 14:25
Updated At:28 Apr, 2026 | 16:10
Rejected At:
▼CVE Numbering Authority (CNA)
WordPress Primary Addon for Elementor plugin <= 1.6.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicheaddons Primary Addon for Elementor primary-addon-for-elementor allows Stored XSS.This issue affects Primary Addon for Elementor: from n/a through <= 1.6.0.

Affected Products
Vendor
nicheaddons
Product
Primary Addon for Elementor
Collection URL
https://wordpress.org/plugins
Package Name
primary-addon-for-elementor
Default Status
unaffected
Versions
Affected
  • From 0 through 1.6.0 (custom)
    • -> unaffectedfrom1.6.2
Problem Types
TypeCWE IDDescription
CWECWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-592Stored XSS
CAPEC ID: CAPEC-592
Description: Stored XSS
Solutions

Configurations

Workarounds

Exploits

Credits

finder
João Pedro S Alcântara (Kinorth) | Patchstack Bug Bounty Program
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://patchstack.com/database/Wordpress/Plugin/primary-addon-for-elementor/vulnerability/wordpress-primary-addon-for-elementor-plugin-1-6-0-cross-site-scripting-xss-vulnerability?_s_id=cve
vdb-entry
Hyperlink: https://patchstack.com/database/Wordpress/Plugin/primary-addon-for-elementor/vulnerability/wordpress-primary-addon-for-elementor-plugin-1-6-0-cross-site-scripting-xss-vulnerability?_s_id=cve
Resource:
vdb-entry
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:audit@patchstack.com
Published At:13 Dec, 2024 | 15:15
Updated At:23 Apr, 2026 | 15:22

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicheaddons Primary Addon for Elementor primary-addon-for-elementor allows Stored XSS.This issue affects Primary Addon for Elementor: from n/a through <= 1.6.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Type: Primary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CPE Matches

nicheaddons
nicheaddons
>>primary_addon_for_elementor>>Versions before 1.6.2(exclusive)
cpe:2.3:a:nicheaddons:primary_addon_for_elementor:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-79Secondaryaudit@patchstack.com
CWE ID: CWE-79
Type: Secondary
Source: audit@patchstack.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://patchstack.com/database/Wordpress/Plugin/primary-addon-for-elementor/vulnerability/wordpress-primary-addon-for-elementor-plugin-1-6-0-cross-site-scripting-xss-vulnerability?_s_id=cveaudit@patchstack.com
Third Party Advisory
Hyperlink: https://patchstack.com/database/Wordpress/Plugin/primary-addon-for-elementor/vulnerability/wordpress-primary-addon-for-elementor-plugin-1-6-0-cross-site-scripting-xss-vulnerability?_s_id=cve
Source: audit@patchstack.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

12352Records found

CVE-2024-54316
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.39% / 31.04%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:25
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Restaurant & Cafe Addon for Elementor plugin <= 1.5.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicheaddons Restaurant & Cafe Addon for Elementor restaurant-cafe-addon-for-elementor allows DOM-Based XSS.This issue affects Restaurant & Cafe Addon for Elementor: from n/a through <= 1.5.8.

Action-Not Available
Vendor-nicheaddonsnicheaddons
Product-restaurant_\&_cafe_addon_for_elementorRestaurant & Cafe Addon for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-44033
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.29% / 20.80%
||
7 Day CHG~0.00%
Published-06 Oct, 2024 | 12:19
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Primary Addon for Elementor plugin <= 1.5.7 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicheaddons Primary Addon for Elementor primary-addon-for-elementor allows Stored XSS.This issue affects Primary Addon for Elementor: from n/a through <= 1.5.7.

Action-Not Available
Vendor-nicheaddonsnicheaddons
Product-primary_addon_for_elementorPrimary Addon for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-54315
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.39% / 31.04%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:25
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Events Addon for Elementor plugin <= 2.2.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicheaddons Events Addon for Elementor events-addon-for-elementor allows DOM-Based XSS.This issue affects Events Addon for Elementor: from n/a through <= 2.2.2.

Action-Not Available
Vendor-nicheaddonsnicheaddons
Product-events_addon_for_elementorEvents Addon for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-51938
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.26% / 17.68%
||
7 Day CHG~0.00%
Published-19 Nov, 2024 | 16:30
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Charity Addon for Elementor plugin <= 1.3.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicheaddons Charity Addon for Elementor charity-addon-for-elementor allows DOM-Based XSS.This issue affects Charity Addon for Elementor: from n/a through <= 1.3.2.

Action-Not Available
Vendor-nicheaddonsnicheaddons
Product-charity_addon_for_elementorCharity Addon for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-51585
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.25% / 15.97%
||
7 Day CHG~0.00%
Published-09 Nov, 2024 | 14:59
Updated-11 May, 2026 | 21:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Sales Page Addon plugin <= 1.4.5 - Stored Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicheaddons Sales Page Addon – Elementor & Beaver Builder sales-page-addon allows Stored XSS.This issue affects Sales Page Addon – Elementor & Beaver Builder: from n/a through <= 1.4.5.

Action-Not Available
Vendor-nicheaddonsnicheaddons
Product-sales_page_addonSales Page Addon – Elementor & Beaver Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-51581
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.25% / 15.97%
||
7 Day CHG~0.00%
Published-10 Nov, 2024 | 09:05
Updated-11 May, 2026 | 21:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Restaurant & Cafe Addon for Elementor plugin <= 1.5.6 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicheaddons Restaurant & Cafe Addon for Elementor restaurant-cafe-addon-for-elementor allows Stored XSS.This issue affects Restaurant & Cafe Addon for Elementor: from n/a through <= 1.5.6.

Action-Not Available
Vendor-nicheaddonsnicheaddons
Product-restaurant_\&_cafe_addon_for_elementorRestaurant & Cafe Addon for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-49259
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.25% / 16.67%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 19:33
Updated-12 May, 2026 | 22:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Primary Addon for Elementor plugin <= 1.5.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicheaddons Primary Addon for Elementor primary-addon-for-elementor allows Stored XSS.This issue affects Primary Addon for Elementor: from n/a through <= 1.5.8.

Action-Not Available
Vendor-nicheaddonsnicheaddons
Product-primary_addon_for_elementorPrimary Addon for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-49264
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 15.16%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 19:26
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Events Addon for Elementor plugin <= 2.2.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicheaddons Events Addon for Elementor events-addon-for-elementor allows Stored XSS.This issue affects Events Addon for Elementor: from n/a through <= 2.2.0.

Action-Not Available
Vendor-nicheaddonsnicheaddons
Product-events_addon_for_elementorEvents Addon for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4669
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.33% / 24.80%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 20:33
Updated-08 Apr, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Events Addon for Elementor <= 2.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

The Events Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Basic Slider, Upcoming Events, and Schedule widgets in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-nicheaddonsnicheaddons
Product-events_addon_for_elementorEvents Addon for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-44026
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.26% / 16.96%
||
7 Day CHG~0.00%
Published-06 Oct, 2024 | 12:42
Updated-12 May, 2026 | 22:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Charity Addon for Elementor plugin <= 1.3.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicheaddons Charity Addon for Elementor charity-addon-for-elementor allows Stored XSS.This issue affects Charity Addon for Elementor: from n/a through <= 1.3.0.

Action-Not Available
Vendor-nicheaddonsnicheaddons
Product-charity_addon_for_elementorCharity Addon for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-44032
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.29% / 20.79%
||
7 Day CHG~0.00%
Published-06 Oct, 2024 | 12:27
Updated-12 May, 2026 | 22:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Restaurant & Cafe Addon for Elementor plugin <= 1.5.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicheaddons Restaurant & Cafe Addon for Elementor restaurant-cafe-addon-for-elementor allows Stored XSS.This issue affects Restaurant & Cafe Addon for Elementor: from n/a through <= 1.5.5.

Action-Not Available
Vendor-nicheaddonsnicheaddons
Product-restaurant_\&_cafe_addon_for_elementorRestaurant & Cafe Addon for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-44024
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.25% / 16.39%
||
7 Day CHG~0.00%
Published-06 Oct, 2024 | 12:45
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Medical Addon for Elementor plugin <= 1.6.4 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicheaddons Medical Addon for Elementor medical-addon-for-elementor allows Stored XSS.This issue affects Medical Addon for Elementor: from n/a through <= 1.6.4.

Action-Not Available
Vendor-nicheaddons
Product-Medical Addon for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13362
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.28% / 19.46%
||
7 Day CHG~0.00%
Published-01 May, 2026 | 05:29
Updated-01 May, 2026 | 13:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-damian-gorawpsaadessekianicheaddonsbpluginscodesavorysenolsxplodedthemestonyzeoli100pluginswebba-agencymapstersamdanitakanakuihkdigitalagencytobias_conradpagupparetodigitaltripettooceanwppluginswareelliotvsblackandwhitedigitalwpbitsenwebyuriahs-victorsaadiqbalunitecmsgn_themessjavedmohsinofflinehasanazizulgallerycreatorpremmercenitin247themelocationspiderdevsbensibleysebettickerawordpluswpspeedocyclonecodeinaviiseezeeelespareimtiazrayhankofimokomedavidandersonprinceahmedinfornwebgowebsmartymr2pkaizencodersspeedifymeowcrewsmartwpresspluginscafeblocksparemattpramschufer5starpluginsfullworksvinod-dalviinteractivegeomapsmikewire_rocksolidpeterschulznltheafricanbossmihail-barinovjosevegarebelcodewebheadllcpassionatebrainswpdeverlitonice13tobiasbgfoopluginswpjolipluginandplaybouncingsproutwebfactoryprasadkirpekardashlabsltdmhmrajibcyberhobokoen12344cleverpluginsspicethemesinvisnettoddhalfpennyyuvaloplugins360kairainfosatechstreamweaselsmte90wpmagicsBiplob Adhikari (Oxilab Development)AF themes
Product-Post to Google My Business (Google Business Profile)Mapster WP MapsShare This ImageFeatured Images in RSS for Mailchimp & MoreBetter Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private MessagesGo Fetch Jobs (for WP Job Manager)Post Slider and Post Carousel with Post Vertical Scrolling Widget – A Responsive Post SliderMixed Media Gallery BlocksFive-Star Ratings ShortcodeAI Bud – AI Content Generator, AI Chatbot, ChatGPT, Gemini, GPT-4oAI Puffer – Chat. Create. Automate. (formerly AI Power)Auto-Install Free SSL – Generate & Install Free SSL CertificatesCarousel, Recent Post Slider and Banner SliderDisable Payment Methods based on cart conditions for WooCommerceXT Floating Cart for WooCommercePrimary Addon for ElementorUnlimited Elements For ElementorNotification Bar, Announcement and Cookie Notice WordPress Plugin – FooBarEasy Appointment Booking & Scheduling System – Webba Booking CalendarXT Quick View for WooCommerceWOW Styler for CF7 – Visual Styler for Contact Form 7 FormsEazyDocs – AI Powered Knowledge Base, Wiki, Documentation & FAQ BuilderMessage Filter for Contact Form 7Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile AppTreePress – Easy Family Trees & Ancestor ProfilesEasy Age VerifyRadio Station by netmix® – Manage and play your Show Schedule in WordPress!GA4WP – Analytics Dashboard for the WebsiteEmbedder for Google ReviewsPremmerce Permalink Manager for WooCommerceSolid Testimonials – Testimonial Slider, Video Testimonials & Customer ReviewsWP Notification BellCustom WooCommerce Checkout Fields EditorWP fail2ban – Advanced SecurityInternal Link Juicer: SEO Auto Linker for WordPressAdvanced Classifieds & Directory ProWPBITS Addons For Elementor Page BuilderMenu Image, Icons made easyFile Manager for Google Drive – Integrate Google DriveWP Meta and Date RemoverGeo MashupBlog Designer Pack – Blog, Post Grid, Post Slider, Post Carousel, Category Post, NewsGlossaryEleSpare – News, Magazine and Blog Addons for ElementorJustified GalleryStreamWeasels Twitch IntegrationWP Books Gallery – Build Stunning Book Showcases & Libraries in MinutesPremmerce Product Filter for WooCommerceBulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO)Ivory Search – WordPress Search PluginAnnouncement & Notification Banner – BulletinWPIDE – File Manager & Code EditorWP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL ScanbBlocks – Essential Gutenberg Blocks & Patterns CollectionDynamic Copyright YearDisplay Eventbrite EventsRestaurant & Cafe Addon for ElementorSpotlight Social Feeds – Block, Shortcode, and WidgetLogo Showcase – Responsive Logo Carousel, Logo Slider & Logo GridWordPress form builder plugin for contact forms, surveys and quizzes – TripettoWP Coupons and Deals – Coupon Plugin For Affiliate MarketersThank You Page for WooCommerceGoal Tracker – Custom Event Tracking for GA4Post List Designer – Category Post, Recent Post, Post ListWP Data Access – App Builder for Tables, Forms, Charts, Maps & DashboardsRestrict – membership, site, content and user access restrictions for WordPressKikote – Location Picker at Checkout & Google Address AutoFill Plugin for WooCommerceJoli Table Of ContentsCheckout with Cash App on WooCommerceIndependent AnalyticsEvents Addon for ElementorAutomatic Internal Links for SEO by PagupUltimeterPay For Post with WooCommerceTeam Members – A WordPress Team Plugin with Gallery, Grid, Carousel, Slider, Table, List, and MoreYASR – Yet Another Star Rating Plugin for WordPressMaster Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template KitsRole Based Pricing for Woo by Meow CrewOcean ExtraRadio Player – Live Shoutcast, Icecast and Any Audio Stream PlayerMeta Field Block – Display custom fields in the Block Editor without codingOpen User MapTablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, FluentCode ManagerText To Speech TTS AccessibilityAnti-Spam Protection – No API Key, GDPR FriendlyGallery by FooGalleryAutomatic YouTube GalleryStoreCustomizer – A plugin to Customize all WooCommerce PagesWP Page TemplatesAidWP – Donation & Payment Forms (Stripe Powered)WP Post Author – Author Box, Multiple Authors, Guest Authors & Custom AvatarsSecure Gateway for Authorize.net and WooCommerce by Pledged PluginsPayment Gateway for ACBA BANKProduct Layouts for WooCommerceAdvanced Scrollbar – Custom Scrollbar Styling and BehaviorSecurity Ninja – WordPress Security & FirewallXT Variation Swatches for WooCommerceDelete Posts automaticallyWidgets on PagesTablePress – Tables in WordPress made easyContact Form 7 Multi-Step FormsRevivePress – Keep your Old Content EvergreenHTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio PlayerAEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image OptimizationAWCA – The Great Analytics Insights for Your eStoreImage Alt Text Manager – Bulk & Dynamic Alt Tags For image SEO Optimization + AISmart phone field for Gravity FormsBulk Edit Posts and Products in SpreadsheetMarijuana Age VerifyForumax – AI Powered Advanced Community Forum PluginMusic Player for Elementor – Audio Player & Podcast PlayerFull Screen BackgroundMapGeo – Interactive Geo MapsKnowledge Base documentation & wiki plugin – BasePress DocsBlockSpare — News, Magazine and Blog Addons for (Gutenberg) Block EditorCoupon Affiliates – Affiliate Plugin for WooCommercePlace Order Without Payment for WooCommerceLightbox & Modal Popup WordPress Plugin – FooBoxWP Mobile Menu – The Mobile-Friendly Responsive MenuCustom PHP SettingsInavii Social FeedSend Users Email – Email Subscribers, Email Marketing NewsletterWP Shortcodes Plugin — Shortcodes UltimateDracula Dark Mode – Accessibility, Reading Mode & Dark Mode for WordPressPDF Poster – Display PDF Files with Custom ViewerEasy Social Feed – Social Photos Gallery and Post Feed for WordPressTeam Members ShowcaseURL Shortify – Simple and Easy URL ShortenerTopNewsWp – Display Tikcer News, RSS Feed Widget and Many MoreRemove Add to Cart WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-5229
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.34% / 26.22%
||
7 Day CHG~0.00%
Published-25 May, 2024 | 02:34
Updated-08 Apr, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Primary Addon for Elementor <= 1.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget

The Primary Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Pricing Table widget in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-nicheaddonsnicheaddonslivemeshelementor
Product-primary_addon_for_elementorPrimary Addon for Elementoraddons_for_elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-8150
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.22% / 11.96%
||
7 Day CHG~0.00%
Published-29 Aug, 2025 | 08:25
Updated-08 Apr, 2026 | 17:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Events Addon for Elementor <= 2.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typewriter and Countdown Widgets

The Events Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typewriter and Countdown widgets in all versions up to, and including, 2.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-nicheaddons
Product-Events Addon for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-8212
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.22% / 12.19%
||
7 Day CHG+0.01%
Published-02 Aug, 2025 | 07:24
Updated-08 Apr, 2026 | 18:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Medical Addon for Elementor <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typewriter Widget

The Medical Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typewriter widget in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-nicheaddons
Product-Medical Addon for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4216
Matching Score-4
Assigner-PostgreSQL
ShareView Details
Matching Score-4
Assigner-PostgreSQL
CVSS Score-7.4||HIGH
EPSS-0.46% / 36.73%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 17:42
Updated-19 Sep, 2025 | 13:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS vulnerability in /settings/store API response json payload in pgAdmin 4

pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malicious script at the client end.

Action-Not Available
Vendor-pgadminpgadmin.orgFedora ProjectThe PostgreSQL Global Development Group
Product-pgadmin_4fedorapgAdmin 4pgadmin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4268
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.49% / 38.77%
||
7 Day CHG~0.00%
Published-02 Jul, 2024 | 11:01
Updated-08 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Blocks – WordPress Blocks Plugin <= 3.1.9 - Authenticated(Contributor+) Stored Cross-Site Scripting via Multiple Blocks

The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocks in all versions up to, and including, 3.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-37457 may be a duplicate of this issue.

Action-Not Available
Vendor-dotcampultimateblocks
Product-ultimate_blocksUltimate Blocks – 25+ Gutenberg Blocks for Block Editor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-22252
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-5.4||MEDIUM
EPSS-0.48% / 37.99%
||
7 Day CHG~0.00%
Published-22 Mar, 2023 | 00:00
Updated-05 Mar, 2025 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AEM Reflected XSS Arbitrary code execution

Experience Manager versions 6.5.15.0 (and earlier) are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If a low-privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_manager_cloud_serviceexperience_managerExperience Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2007-1679
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.91% / 55.69%
||
7 Day CHG~0.00%
Published-26 Mar, 2007 | 23:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware Webmail 1.0 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors in (1) imp/search.php and (2) ingo/rule.php. NOTE: this issue has been disputed by the vendor, noting that the search.php issue was resolved in CVE-2006-4255, and attackers can only use rule.php to inject XSS into their own pages

Action-Not Available
Vendor-n/aHorde LLC
Product-groupwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-29231
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.62% / 45.32%
||
7 Day CHG~0.00%
Published-30 Dec, 2020 | 18:21
Updated-05 Jul, 2026 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (XSS) in the Admin Profile Page. This vulnerability can result in the attacker injecting the XSS payload in Admin Full Name and each time admin visits the Profile page from the admin panel, the XSS triggers.

Action-Not Available
Vendor-n/aremyandrade
Product-user_registration_and_login_system_with_admin_paneln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-42834
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.47% / 37.09%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting (XSS) vulnerability in the Create Customer API in Incognito Service Activation Center (SAC) UI v14.11 allows authenticated attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the lastName parameter.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2143
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.32% / 23.89%
||
7 Day CHG+0.04%
Published-17 Jul, 2023 | 13:29
Updated-30 Oct, 2024 | 15:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Enable SVG, WebP & ICO Upload <= 1.0.3 - Author+ Stored XSS

The Enable SVG, WebP & ICO Upload WordPress plugin through 1.0.3 does not sanitize SVG file contents, leading to a Cross-Site Scripting vulnerability.

Action-Not Available
Vendor-ideastocodeUnknown
Product-enable_svg\,_webp_\&_ico_uploadEnable SVG, WebP & ICO Upload
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41844
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 21.36%
||
7 Day CHG~0.00%
Published-23 Aug, 2024 | 16:53
Updated-07 Oct, 2024 | 13:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_managerAdobe Experience Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41911
Matching Score-4
Assigner-HP Inc.
ShareView Details
Matching Score-4
Assigner-HP Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.24% / 15.26%
||
7 Day CHG~0.00%
Published-06 Aug, 2024 | 14:07
Updated-02 Oct, 2025 | 17:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was discovered in the firmware builds up to 10.10.2.2 in Poly Clariti Manager devices. The flaw does not properly neutralize input during a web page generation.

Action-Not Available
Vendor-HP Inc.
Product-poly_clariti_managerPoly Clariti Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4265
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.56% / 42.27%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:52
Updated-08 Apr, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.5.9 - Contributor+ Stored Cross-Site Scripting

The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 2.0.5.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-35688 is likely a duplicate of this issue.

Action-Not Available
Vendor-master-addonslitonice13
Product-master_addonsMaster Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-22269
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-5.4||MEDIUM
EPSS-0.48% / 38.00%
||
7 Day CHG~0.00%
Published-22 Mar, 2023 | 00:00
Updated-05 Mar, 2025 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AEM Reflected XSS Arbitrary code execution

Experience Manager versions 6.5.15.0 (and earlier) are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If a low-privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_manager_cloud_serviceexperience_managerExperience Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4187
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-2.1||LOW
EPSS-0.23% / 13.63%
||
7 Day CHG~0.00%
Published-31 Jul, 2024 | 20:28
Updated-15 Aug, 2024 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS vulnerability has been discovered in OpenText™ Filr. The vulnerability could cause users to not be warned when clicking links to external sites.

Stored XSS vulnerability has been discovered in OpenText™ Filr product, affecting versions 24.1.1 and 24.2. The vulnerability could cause users to not be warned when clicking links to external sites.

Action-Not Available
Vendor-Open Text Corporation
Product-filrFilr
CWE ID-CWE-356
Product UI does not Warn User of Unsafe Actions
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-9526
Matching Score-4
Assigner-Google LLC
ShareView Details
Matching Score-4
Assigner-Google LLC
CVSS Score-7.1||HIGH
EPSS-0.21% / 10.81%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 13:30
Updated-23 Jul, 2025 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in Kubeflow Pipeline View

There exists a stored XSS Vulnerability in Kubeflow Pipeline View web UI. The Kubeflow Web UI allows to create new pipelines. When creating a new pipeline, it is possible to add a description. The description field allows html tags, which are not filtered properly. Leading to a stored XSS. We recommend upgrading past commit 930c35f1c543998e60e8d648ce93185c9b5dbe8d

Action-Not Available
Vendor-kubeflowKubeflowkubeflow
Product-pipelinesKubeflow Pipeline Viewkubeflow_w_pipeline_view
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-42763
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.41% / 33.41%
||
7 Day CHG~0.00%
Published-22 Aug, 2024 | 00:00
Updated-06 May, 2025 | 13:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Reflected Cross Site Scripting (XSS) vulnerability was found in the "/schedule.php" page of the Kashipara Bus Ticket Reservation System v1.0, which allows remote attackers to execute arbitrary code via the "bookingdate" parameter.

Action-Not Available
Vendor-kjayvikn/aKashipara Group
Product-bus_ticket_reservation_systemn/abus_ticket_reservation_system
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41825
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-4.6||MEDIUM
EPSS-0.27% / 18.28%
||
7 Day CHG-0.01%
Published-22 Jul, 2024 | 14:50
Updated-07 Aug, 2024 | 20:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2024.07 stored XSS was possible on the Code Inspection tab

Action-Not Available
Vendor-JetBrains s.r.o.
Product-teamcityTeamCity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-9173
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.29% / 20.83%
||
7 Day CHG+0.01%
Published-26 Sep, 2024 | 09:29
Updated-08 Apr, 2026 | 17:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GF Custom Style <= 2.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The GF Custom Style plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Action-Not Available
Vendor-alefypimentelalefypf
Product-gf_custom_styleGF Custom Style
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-2164
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-5.4||MEDIUM
EPSS-63.77% / 99.12%
||
7 Day CHG~0.00%
Published-01 Aug, 2023 | 23:36
Updated-20 Nov, 2025 | 04:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

An issue has been discovered in GitLab affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to trigger a stored XSS vulnerability via user interaction with a crafted URL in the WebIDE beta.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-27989
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-21.75% / 97.34%
||
7 Day CHG~0.00%
Published-16 Nov, 2020 | 16:56
Updated-04 Aug, 2024 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI before 5.7.5 is vulnerable to XSS in Dashboard Tools (Edit Dashboard).

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xin/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-9811
Matching Score-4
Assigner-Mautic
ShareView Details
Matching Score-4
Assigner-Mautic
CVSS Score-5.4||MEDIUM
EPSS-0.13% / 3.16%
||
7 Day CHG~0.00%
Published-29 May, 2026 | 10:41
Updated-29 May, 2026 | 14:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored Cross-Site Scripting (XSS) vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields. An authenticated user with permissions to create projects can exploit this to store a malicious script payload in the project's name. When another administrative user subsequently opens an entity editor containing the project selector, the injected script executes within the context of their active browser session. This could allow an attacker to hijack the session, perform unauthorized state coordination, or access organizational data within the dashboard.

Action-Not Available
Vendor-
Product-
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-42055
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.38% / 30.34%
||
7 Day CHG~0.00%
Published-28 Jul, 2024 | 00:00
Updated-27 Oct, 2024 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cervantes through 0.5-alpha allows stored XSS.

Action-Not Available
Vendor-cervantessecn/a
Product-cervantesn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41848
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 21.36%
||
7 Day CHG~0.00%
Published-23 Aug, 2024 | 16:53
Updated-07 Oct, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Experience Manager | Cross-site Scripting (Reflected XSS) (CWE-79)

Adobe Experience Manager versions 6.5.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_managerAdobe Experience Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-28001
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-3.79% / 88.67%
||
7 Day CHG~0.00%
Published-03 Feb, 2021 | 15:53
Updated-04 Aug, 2024 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SolarWinds Serv-U before 15.2.2 allows Authenticated Stored XSS.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-serv-un/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-3926
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.32% / 24.32%
||
7 Day CHG~0.00%
Published-22 May, 2024 | 14:32
Updated-08 Apr, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via custom_attributes

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom_attributes value in widgets in all versions up to, and including, 5.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-BdThemes
Product-element_packElement Pack – Widgets, Templates & Addons for Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-28847
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.45% / 36.28%
||
7 Day CHG~0.00%
Published-05 Apr, 2022 | 15:37
Updated-04 Aug, 2024 | 16:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting (XSS) vulnerability in xCss Valine v1.4.14 via the nick parameter to /classes/Comment.

Action-Not Available
Vendor-valine.jsn/a
Product-valinen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4273
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.32% / 24.32%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 05:32
Updated-08 Apr, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Essential Real Estate <= 4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Essential Real Estate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ere_property_map' shortcode in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-g5plusg5theme
Product-essential_real_estateEssential Real Estate
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-21571
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.61% / 44.82%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 19:32
Updated-01 Jan, 2025 | 00:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-dynamics_365Microsoft Dynamics 365 (on-premises) version 9.0Microsoft Dynamics 365 (on-premises) version 9.1
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-0054
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 16.62%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 00:32
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java

SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim's web browser. With this the attacker might be able to read or modify information associated with the vulnerable web page.

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver Application Server Java
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-22253
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-5.4||MEDIUM
EPSS-0.48% / 38.00%
||
7 Day CHG~0.00%
Published-22 Mar, 2023 | 00:00
Updated-05 Mar, 2025 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AEM Reflected XSS Arbitrary code execution

Experience Manager versions 6.5.15.0 (and earlier) are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If a low-privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_manager_cloud_serviceexperience_managerExperience Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-20204
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.36% / 27.85%
||
7 Day CHG~0.00%
Published-03 Aug, 2023 | 21:15
Updated-21 Nov, 2024 | 21:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of Cisco BroadWorks CommPilot Application Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-broadworks_application_delivery_platformbroadworks_application_serverbroadworks_xtended_services_platformCisco BroadWorks
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-29587
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.68% / 47.75%
||
7 Day CHG~0.00%
Published-14 Jan, 2021 | 15:07
Updated-04 Aug, 2024 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SimplCommerce 1.0.0-rc uses the Bootbox.js library, which allows creation of programmatic dialog boxes using Bootstrap modals. The Bootbox.js library intentionally does not perform any sanitization of user input, which results in a DOM XSS, because it uses the jQuery .html() function to directly append the payload to a dialog.

Action-Not Available
Vendor-simplcommercen/a
Product-simplcommercen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41847
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 21.36%
||
7 Day CHG~0.00%
Published-23 Aug, 2024 | 16:53
Updated-07 Oct, 2024 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Experience Manager | Cross-site Scripting (Reflected XSS) (CWE-79)

Adobe Experience Manager versions 6.5.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_managerAdobe Experience Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4293
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.64% / 46.03%
||
7 Day CHG~0.00%
Published-27 Apr, 2024 | 21:31
Updated-27 Feb, 2025 | 16:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Doctor Appointment Management System appointment-bwdates-reports-details.php cross site scripting

A vulnerability classified as problematic was found in PHPGurukul Doctor Appointment Management System 1.0. Affected by this vulnerability is an unknown functionality of the file appointment-bwdates-reports-details.php. The manipulation of the argument fromdate/todate leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-262225 was assigned to this vulnerability.

Action-Not Available
Vendor-PHPGurukul LLP
Product-doctor_appointment_management_systemDoctor Appointment Management Systemdoctor_appointment_management_system
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4212
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.43% / 34.22%
||
7 Day CHG~0.00%
Published-06 Jun, 2024 | 03:32
Updated-08 Apr, 2026 | 17:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Themesflat Addons For Elementor <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting in Multiple Widgets

The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's TF Group Image, TF Nav Menu, TF Posts, TF Woo Product Grid, TF Accordion, and TF Image Box widgets in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-themesflatthemesflat
Product-themesflat_addons_for_elementorThemesflat Addons For Elementor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41878
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-5.4||MEDIUM
EPSS-0.31% / 23.27%
||
7 Day CHG~0.00%
Published-23 Aug, 2024 | 16:53
Updated-07 Oct, 2024 | 12:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)

Adobe Experience Manager versions 6.5.19 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. This vulnerability could allow an attacker to inject and execute arbitrary JavaScript code within the context of the user's browser session. Exploitation of this issue requires user interaction, such as convincing a victim to click on a malicious link.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_managerAdobe Experience Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 247
  • 248
  • Next
Details not found